You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2020/02/26 18:34:55 UTC

[camel-k] 12/15: feat(buildah): Add security context capabilities required by Buildah on OpenShift

This is an automated email from the ASF dual-hosted git repository.

astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit ee07e9cec69eef14f1b9116dbd1433d6e75b39ca
Author: Antonin Stefanutti <an...@stefanutti.fr>
AuthorDate: Wed Feb 26 10:44:55 2020 +0100

    feat(buildah): Add security context capabilities required by Buildah on OpenShift
---
 pkg/trait/builder.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/pkg/trait/builder.go b/pkg/trait/builder.go
index 4d9214a..76df2ac 100644
--- a/pkg/trait/builder.go
+++ b/pkg/trait/builder.go
@@ -175,11 +175,9 @@ func (t *builderTrait) builderTask(e *Environment) *v1.BuilderTask {
 		BaseTask: v1.BaseTask{
 			Name: "builder",
 		},
-		Meta:      e.IntegrationKit.ObjectMeta,
-		BaseImage: e.Platform.Status.Build.BaseImage,
-		Runtime:   e.CamelCatalog.Runtime,
-		//Sources:         e.Integration.Spec.Sources,
-		//Resources:       e.Integration.Spec.Resources,
+		Meta:         e.IntegrationKit.ObjectMeta,
+		BaseImage:    e.Platform.Status.Build.BaseImage,
+		Runtime:      e.CamelCatalog.Runtime,
 		Dependencies: e.IntegrationKit.Spec.Dependencies,
 		//TODO: sort steps for easier read
 		Steps:      builder.StepIDsFor(builder.DefaultSteps...),
@@ -294,6 +292,16 @@ func (t *builderTrait) buildahTask(e *Environment) (*v1.ImageTask, error) {
 			Args:       []string{strings.Join(args, " && ")},
 			Env:        env,
 			WorkingDir: path.Join(builderDir, e.IntegrationKit.Name, "context"),
+			// This requires the builder service account to have privileged SCC on OpenShift
+			// It should be removed when Buildah fully supports unprivileged build
+			SecurityContext: &corev1.SecurityContext{
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{
+						"SETGID",
+						"SETUID",
+					},
+				},
+			},
 		},
 		BuiltImage: image,
 	}, nil